apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  namespace: {{ .Release.Namespace }}
  labels: {{ include "kuma.cpLabels" . | nindent 4 }}
{{- with .Values.controlPlane.serviceAccountAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
  {{- range . }}
  - name: {{ . | quote }}
  {{- end }}
{{- end }}
{{- if (eq .Values.controlPlane.environment "kubernetes") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  labels: {{ include "kuma.cpLabels" . | nindent 4 }}
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
      - pods
      - configmaps
      - nodes
  {{- if .Values.experimental.gatewayAPI }}
      - secrets
  {{- end }}
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "apps"
    resources:
      - deployments
      - replicasets
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - "batch"
    resources:
      - jobs
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
      - gatewayclasses
      - gateways
      - referencegrants
      - httproutes
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
      - gatewayclasses/status
      - gateways/status
      - httproutes/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - delete
      - list
      - watch
      - create
      - update
      - patch
  - apiGroups:
      - kuma.io
    resources:
      - dataplanes
      - dataplaneinsights
      - meshes
      - zones
      - zoneinsights
      - zoneingresses
      - zoneingressinsights
      - zoneegresses
      - zoneegressinsights
      - meshinsights
      - serviceinsights
      - proxytemplates
      - ratelimits
      - trafficpermissions
      - trafficroutes
      - timeouts
      - retries
      - circuitbreakers
      - virtualoutbounds
      - containerpatches
      - externalservices
      - faultinjections
      - healthchecks
      - trafficlogs
      - traffictraces
      - meshgateways
      - meshgatewayroutes
      - meshgatewayinstances
  {{- if .Values.experimental.gatewayAPI }}
      - meshgatewayconfigs
  {{- end }}
  {{- range $policy, $v := .Values.plugins.policies }}
  {{- if $v }}
      - {{ $policy }}
  {{- end}}
  {{- end}}
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - kuma.io
    resources:
      - meshgatewayinstances/status
      - meshgatewayinstances/finalizers
      - meshes/finalizers
      - dataplanes/finalizers
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      - pods/finalizers
    verbs:
      - get
      - patch
      - update
  {{- if .Values.cni.enabled }}
  - apiGroups:
      - k8s.cni.cncf.io
    resources:
      - network-attachment-definitions
    verbs:
      - get
      - list
      - watch
      - create
      - delete
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - update
  - apiGroups:
      - "pods"
    resources:
      - pods
    verbs:
      - list
  {{- end }}
  # validate k8s token before issuing mTLS cert
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  labels: {{ include "kuma.cpLabels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "kuma.name" . }}-control-plane
subjects:
  - kind: ServiceAccount
    name: {{ include "kuma.name" . }}-control-plane
    namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  namespace: {{ .Release.Namespace }}
  labels: {{ include "kuma.cpLabels" . | nindent 4 }}
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  # leader-for-life election deletes Pods in some circumstances
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "kuma.name" . }}-control-plane
  namespace: {{ .Release.Namespace }}
  labels: {{ include "kuma.cpLabels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "kuma.name" . }}-control-plane
subjects:
  - kind: ServiceAccount
    name: {{ include "kuma.name" . }}-control-plane
    namespace: {{ .Release.Namespace }}
{{- end }}
